Lecture 12: Public-Key Cryptography and RSA Lecture Notes on “Computer and Network Security” by Avi Kak ([email protected]) April 24, 2012 4:40pm c 2012 Avinash Kak, Purdue University Goals: • To review public-key cryptography • To demonstrate that confidentiality and sender-authentication can be achieved simultaneously with public-key cryptography • To review the Rivest-Shamir-Adleman (RSA) algorithm for public-key cryptography • To present the proof of the RSA algorithm • To go over the computational issues related to RSA. • To discuss the security of RSA 1
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• To demonstrate that confidentiality and sender-authentication can be
achieved simultaneously with public-key cryptography
• To review the Rivest-Shamir-Adleman (RSA) algorithm for public-keycryptography
• To present the proof of the RSA algorithm
• To go over the computational issues related to RSA.
• To discuss the security of RSA
1
CONTENTS
Section Title Page
12.1 Public-Key Cryptography 3
12.2 The Rivest-Shamir-Adleman (RSA) Algorithm 8for Public-Key Cryptography — The Basic Idea
12.2.1 The RSA Algorithm — Putting to Use the Basic Idea 11
12.2.2 How to Choose the Modulus for the RSA Algorithm 13
12.2.3 Proof of the RSA Algorithm 16
12.3 Computational Steps for Key Generation in 20RSA Cryptography
12.3.1 Computational Steps for Selecting the Primes p and q 21in RSA Cryptography
12.3.2 Choosing a Value for the Public Exponent e 23
12.3.3 Calculating the Private Exponent d 26
12.4 A Toy Example That Illustrates How to Set n, 28e, and d for a Block Cipher Application of RSA
12.5 Modular Exponentiation for Encryption and 33Decryption
12.5.1 An Algorithm for Modular Exponentiation 36
12.6 The Security of RSA 41
12.7 Factorization of Large Numbers: The Old RSA 53Factoring Challenge
12.8 The RSA Algorithm: Some Operational Details 60
12.9 RSA: In Summary .... 66
12.10 Homework Problems 68
2
12.1: PUBLIC-KEY CRYPTOGRAPHY
• Public-key cryptography is also known as asymmetric-key cryp-
tography.
• Encryption and decryption is carried out using two different
keys. The two keys in such a key pair are referred to as the
public key and the private key. (As we will see, this solves
one of the most vexing problems associated with symmetric-key
cryptography — the problem of key distribution).
• With public key cryptography, all parties interested in secure
communications can publish their public keys.
• Party A, if wanting to communicate confidentially with party
B, can encrypt a message usingB’s publicly available key. Such a
communication would only be decipherable byB as onlyB would
have access to the corresponding private key. This is illustrated
by the top communication link in Figure 1 on page 5.
3
• Party A, if wanting to send an authenticated message to
party B, would encrypt the message with A’s own private key.
Since this message would only be decipherable with A’s pub-
lic key, that would establish the authenticity of the message —
meaning that A was indeed the source of the message. This is
illustrated by the middle communication link in Figure 1 on page
5.
• The communication link at the bottom of Figure 1 shows how
public-key encryption can be used to provide both confiden-
tiality and authentication at the same time. Note again
that confidentiality means that we want to protect a message
from eavesdroppers and authentication means that the recipient
needs a guarantee as to the identity of the sender.
• In Figure 1, A’s public and private keys are designated PUA and
PRA. B’s public and private keys are designated PUB and PRB.
• As shown at the bottom of Figure 1, let’s say thatA wants to send
a message M to B with both authentication and confidentiality.
The processing steps undertaken by A to convert M into its
encrypted form C that can be placed on the wire are:
C = E (PUB, E (PRA, M))
4
where E() stands for encryption. The processing steps under-
taken by B to recover M from C are
M = D (PUA, D (PRB, C))
where D() stands for decryption.
• The senderA encrypting his/her message with its own private key
PRA provides authentication. This step constitutes A putting
his/her digital signature on the message. Instead of applying the
private key to the entire message, a sender may also “sign” a message by applying
his/her private key to just a small block of data that is derived from the message to
be sent.
• The sender A further encrypting his/her message with the
receiver’s public key PUB provides confidentiality.
• Of course, the price paid for achieving confidentiality and au-
thentication at the same time is that now the message must be
processed four times in all for encryption/decryption. The mes-
sage goes through two encryptions at the sender’s place and two
decryptions at the receiver’s place. Each of these four steps in-
volves separately the computationally complex public-key
algorithm.
5
• IMPORTANT: Note that public-key cryptography does not
make obsolete the more traditional symmetric-key cryptography.
Because of the greater computational overhead associated with
public-key crypto-systems, symmetric-key systems continue to
be widely used for content encryption. However, it is generally
agreed that public-key encryption is indispensable for key man-
agement, for distributing the keys needed for the more traditional
symmetric key encryption/decryption of the content, for digital
signature applications, etc.
6
PUA PUB
PRA PUA PRBPUB
PRA PUB PUAPRB
PRA PUA PRBPUB
Encrypt with PUB Decrypt with PRB
Party A wants to send a message to Party B
When only confidentiality is needed:
When only authentication is needed:
When both confidentiality and authentication are needed:
A’s private key A’s public key
Mes
sage
B’s public key B’s private key
Message
Party A Party B
PRA PR B
Encrypt with PRA Decrypt with PUA
A’s private key A’s public key B’s public key B’s private key
Party A Party B
Mes
sage
Encryptwith
Encryptwith
Message
Decrypt Decrypt
with with
A’s private key A’s public key
Mes
sage
B’s public key B’s private key
Message
Party A Party B
Figure 1: This figure is from Lecture 12 of “Computer and Net-
work Security” by Avi Kak
7
12.2: THE RIVEST-SHAMIR-ADLEMAN (RSA)
ALGORITHM FOR PUBLIC-KEY
CRYPTOGRAPHY — THE BASIC IDEA
• The RSA algorithm — named after Ron Rivest, Adi Shamir, and
Leonard Adleman — is based on a property of positive integers
that we describe below.
• When n satisfies a certain property to be described later, in arith-
metic operations modulo n, the exponents behave modulo the to-
tient φ(n) of n. [See Section 11.3 of Lecture 11 for the definition of the totient of
a number.] For example, consider arithmetic modulo 15. We have
φ(15) = 8 for the totient. You can easily verify the following:
57 · 54 mod 15 = 5(7+4) mod 8 mod 15 = 53 mod 15 = 125 mod 15 = 5
(43)5 mod 15 = 4(3×5) mod 8 mod 15 = 47 mod 15 = 4
• Again considering arithmetic modulo n, let’s say that e is an
integer that is coprime to the totient φ(n) of n. Further, say that
8
d is the multiplicative inverse of emodulo φ(n). These definitions
of the various symbols are listed below for convenience:
n = a modulus for modular arithmetic
φ(n) = the totient of n
e = an integer that is relatively prime to φ(n)
[This guarantees that e will possess a
multiplicative inverse modulo φ(n)]
d = an integer that is the multiplicative
inverse of e modulo φ(n)
• Now suppose we are given an integer M , M < n, that represents
our message, then we can transform M into another integer C
that will represent our ciphertext by the following modulo expo-
nentiation:
C = M e mod n
At this point, it may seem rather strange that we would want to
represent any arbitrary plaintext message by an integer. But, it
is really not that strange. Let’s say you want a block cipher that
9
encrypts 1024 bit blocks at a time. Every plaintext block can
now be thought of as an integer M of value 0 ≤M ≤ 21024 − 1.
• As you will soon see, we can recover M back from C by the
following modulo operation
M = Cd mod n
10
12.2.1: The RSA Algorithm — Putting to Use the
Basic Idea
• The basic idea described in the previous subsection can be used
to create a confidential communication channel in the manner
described here.
• An individual A who wishes to receive messages confidentially
will use the pair of integers {e, n} as his/her public key. At thesame time, this individual can use the pair of integers {d, n} asthe private key. The definitions of n, e, and d are as in the
previous subsection.
• Another partyB wishing to send a messageM toA confidentially
will encrypt M using A’s public key {e, n} to create ciphertext
C. Subsequently, only A will be able to decrypt C using his/her
private key {d, n}.
• If the plaintext messageM is too long, B may choose to use RSA
as a block cipher for encrypting the message meant for A. As
explained by our toy example in Section 12.4, when RSA is used
as a block cipher, the block size is likely to be half the number of
11
bits required to represent the modulus n. If the modulus required,
say, 1024 bits for its representation, message encryption would be
based on 512-bit blocks. [While, in principle, RSA can certainly be used as a
block cipher, in practice it is more likely to be used just for exchanging a secret session
key and, subsequently, the session key used for content encryption using symmetric-key
cryptography based on, say, AES.]
• The important theoretical question here is as to what conditions
if any must be satisfied by the modulus n for this M → C →M
transformation to work?
12
12.2.2: How to Choose the Modulus for the RSA
Algorithm
• With the definitions of d and e as presented in Section 12.2, the
modulus n must be selected in such a manner that the following
is guaranteed:
(
M e)d)
≡ M ed ≡ M (mod n)
We want this guarantee because C = M e mod m is the en-
crypted form of the message integer M and decryption is carried
out by Cd mod n.
• It was shown by Rivest, Shamir, and Adleman that we have this
guarantee when n is a product of two prime numbers:
n = p× q for some prime p and prime q (1)
• The above factorization is needed because the proof of the algo-
rithm, presented in the next subsection, depends on the following
two properties of primes and coprimes:
13
1. If two integers p and q are coprimes (meaning, relatively prime
to each other), the following equivalence holds for any two
integers a and b:
{a ≡ b (mod p) and a ≡ b (mod q)} ⇔ {a ≡ b (mod pq)}(2)
This equivalence follows from the fact a ≡ b (mod p) im-
plies a − b = k1p for some integer k1. But since we also
have a ≡ b (mod q) implying a− b = k2q, it must be the
case that k1 = k3 × q for some k3. Therefore, we can write
a− b = k3× p× q, which establishes the equivalence. (Note
that this argument breaks down if p and q have common fac-
tors other than 1.) [We will use this property in the next subsection to
arrive at Equation (11) from the partial results in Equations (9) and (10).]
2. In addition to needing p and q to be coprimes, we also want
p and q to be individually primes. It is only when p and
q are individually prime that we can decompose the totient of
n into the product of the totients of p and q. That is
φ(n) = φ(p)× φ(q) = (p− 1)× (q − 1) (3)
See Section 11.3 of Lecture 11 for a proof of this. [We will use
this property to go from Equation (5) to Equation (6) in the next subsection.]
14
• So that the cipher cannot be broken by an exhaustive search for
the prime factors of the modulus n, it is important that both p
and q be very large primes. Finding the prime factors of
a large integer is computationally harder than deter-
mining its primality.
• We also need to ensure that n is not factorizable by one of the
modern integer factorization algorithms. More on that later in
these notes.
15
12.2.3: Proof of the RSA Algorithm
• We need to prove that when n is a product of two primes p and q,
then, in arithmetic modulo n, the exponents behave modulo the
totient of n. We will prove this assertion indirectly by establishing
that when an exponent e is chosen as a mod φ(n) multiplicative
inverse of another exponent d, then the following will always be
true M e×d ≡M (modn).
• Using the definitions of d and e as presented in Section 12.2, since
the integer d is the multiplicative inverse of the integer e modulo
the totient φ(n), we obviously have
e× d ≡ 1 (mod φ(n)) (4)
This implies that there must exist an integer k so that
e× d − 1 ≡ 0 (mod φ(n))
= k × φ(n) (5)
• It must then obviously be the case that φ(n) is a divisor of the
expression e×d − 1. But since φ(n) = φ(p)×φ(q), the totients16
φ(p) and φ(q) must also individually be divisors of e × d − 1.
That is
φ(p) | (e× d − 1) and φ(q) | (e× d − 1) (6)
The notation ‘|’ to indicate that its left argument is a divisor of
the right argument was first introduced at the end of Section 5.1
in Lecture 5.
• Focusing on the first of these assertions, since φ(p) is a divisor of
e× d − 1, we can write
e× d − 1 = k1φ(p) = k1(p − 1) (7)
for some integer k1.
• Therefore, we can write for any integer M :
M e×d mod p = M e×d − 1 + 1 mod p = Mk1(p − 1)×M mod p
(8)
17
• Now we have two possibilities to consider: Since p is a prime, it
must be the case that either M and p are coprimes or that M is
a multiple of p.
– Let’s first consider the case when M and p are coprimes. By
Fermat’s Little Theorem (presented in Section 11.2 of Lecture
11), since p is a prime, we have
M p − 1 ≡ 1 (mod p)
Since this conclusion obviously extends to any power of the
left hand side, we can write
Mk1(p − 1) ≡ 1 (mod p)
Substituting this result in Equation (8), we get
M e×d mod p = M mod p (9)
– Now let’s consider the case when the integer M is a multiple
of the prime p. Now obviously, M mod p = 0. This will also
be true for M raised to any power. That is, Mk mod p = 0
for any integer k. Therefore, Equation (9) will continue to be
true even in this case.
18
• From the second assertion in Equation (6), we can draw an iden-
tical conclusion regarding the other factor q of the modulus n:
M e×d mod q = M mod q (10)
• We established in Section 12.2.2 that, when p and q are coprimes,
for any integers a and b if we have a ≡ b (mod p) and a ≡ b
(mod q), then it must also be the case that a ≡ b (mod pq).
Applying this conclusion to the partial results shown in Equations
(9) and (10), we get
M e×d mod n = M mod n (11)
19
12.3: COMPUTATIONAL STEPS FOR KEY
GENERATION IN RSA CRYPTOGRAPHY
• The computational steps for key generation are
1. Generate two different primes p and q
2. Calculate the modulus n = p× q
3. Calculate the totient φ(n) = (p− 1)× (q − 1)
4. Select for public exponent an integer e such that 1 < e < φ(n)
and gcd(φ(n), e) = 1
5. Calculate for the private exponent a value for d such that
d = e−1 mod φ(n)
6. Public Key = [e, n]
7. Private Key = [d, n]
• The next three subsections elaborate on these computational
steps.
20
12.3.1: Computational Steps for Selecting the
Primes p and q in RSA Cryptography
• You first decide upon the size of the modulus integer n. Let’s say
that your implementation of RSA requires a modulus of size B
bits.
• To generate the prime integer p;
– Using a high-quality random number generator (See Lecture
10 on random number generation), you first generate a random
number of size B/2 bits.
– You set the lowest bit of the integer generated by the above
step; this ensures that the number will be odd.
– You also set the two highest bits of the integer; this ensures
that the highest bits of n will be set. (See Section 12.4 for an
explanation of why you need to set the first two bits.)
– Using the Miller-Rabin algorithm described in Lecture 11, you
now check to see if the resulting integer is prime. If not, you
increment the integer by 2 and check again. This becomes the
value of p.
21
• You do the same thing for selecting q. You start with a randomly
generated number of size B/2 bits, and so on.
• In the unlikely event that p = q, you throw away your random
number generator and acquire a new one.
• For greater security, instead of incrementing by 2 when the Miller-
Rabin test fails, you generate a new random number.
22
12.3.2: Choosing a Value for the Public Exponent e
• Recall that encryption consists of raising the message integer M
to the power of the public exponent e modulo n. This step is
referred to as modular exponentiation.
• The mathematical requirement on e is that gcd(e, φ(n)) = 1,
since otherwise e will not have a multiplicative inverse mod φ(n).
Since n = p × q, this requirement is equivalent to the two
requirements gcd(e, φ(p)) = 1 and gcd(e, φ(q)) = 1. In other
words, we want gcd(e, p− 1) = 1 and gcd(e, q − 1) = 1.
• For computational ease, one typically chooses a value for e that is
prime, has as few bits as possible equal to 1 for fast multiplication,
and, at the same time, that is cryptographically secure in the
sense described in the next bullet. Typical values for e are 3, 17,
and 65537 (= 216 + 1). Each of these values has only two bits
set, which makes for fast modular exponentiation. But
don’t forget the basic requirement on e that it must be relatively
prime to p − 1 and q − 1 simultaneously. Whereas p is prime,
p−1 definitely is not since it is even. The same goes for q−1. So
even if you wanted to, you may not be able to use a small integer
like 3 for e.
23
• Small values for e, such as 3, are considered cryptographically
insecure. Let’s say a sender A sends the same message M to
three different receivers using their respective public keys that
have the same e = 3 but different values of n. Let these values
of n be denoted n1, n2, and n3. Let’s assume that an attacker
can intercept all three transmissions. The attacker will see three
ciphertext messages: C1 = M 3 mod n1, C2 = M 3 mod n2,
and C3 = M 3 mod n3. Assuming that n1, n2, and n3 are
relatively prime on a pairwise basis, the attacker can use the
Chinese Remainder Theorem (CRT) of Section 11.7 of Lecture
11 to reconstruct M 3 modulo N = n1 × n2 × n3. (This assumes that
M3 < n1n2n3, which is bound to be true since M < n1, M < n2, and M < n3.) Having
reconstructed M 3, all that the attacker has to do is to figure out
the cube-root of M 3 to recover M . Finding cube-roots of even
large integers is not that hard. (The Homework Problems section includes a
programming assignment that focuses on this issue.)
• Having selected a value for e, it is best to double check that
we indeed have gcd(e, p−1) = 1 and gcd(e, q−1) = 1 (since
we want e to be coprime to φ(n), meaning that we want e to be
coprime to p− 1 and q− 1 separately). Remember, with a small
probability, the Miller-Rabin algorithm may declared p and/or
q to be prime when in fact they are composite. If either p or q
is found to not meet these two conditions on relative primality
of φ(p) and φ(q) vis-a-vis e, you must discard the calculated p
and/or q and start over. (It is faster to build this test into the
selection algorithm for p and q.) When e is a prime and greater
24
then 2, a much faster way to satisfy the two conditions is to
ensure
p mod e 6= 1
q mod e 6= 1
• To summarize the point made above, you give priority to
using a particular value for e – such as a value like 65537
that has only two bits set. Having made a choice for the en-
cryption integer e, you now find the primes p and q that, besides
satisfying all other requirements on these two numbers, also sat-
isfy the conditions that the chosen e would be coprime to the
totients φ(p) and φ(q).
25
12.3.3: Calculating the Private Exponent d
• Once we have settled on a value for the public encryption ex-
ponent e, the next step is to calculate the private decryption
exponent d from e and the modulus n.
• Recall that d× e ≡ 1 (mod φ(n)). We can also write this as
d = e−1 mod φ(n)
Calculating ‘e−1 mod φ(n)’ is referred to as modular inver-
sion.
• Since d is the multiplicative inverse of emodulo φ(n), we can use
the Extended Euclid’s Algorithm (see Section 5.6 of Lecture 5)
for calculating d. Recall that we know the value for φ(n) since
it is equal to (p− 1)× (q − 1).
• Note that the main source of security in RSA is keep-
ing p and q secret and therefore also keeping φ(n) se-
cret. It is important to realize that knowing either will reveal
26
the other. That is, if you know the factors p and q, you can
calculate φ(n) by multiplying p− 1 with q− 1. And if you know
φ(n) and n, you can calculate the factors p and q readily.
27
12.4: A TOY EXAMPLE THAT ILLUSTRATES
HOW TO SET n, e, d FOR A BLOCK CIPHER
APPLICATION OF RSA
• For the sake of illustrating how you’d use RSA as a block cipher,
let’s try to design a 16-bit RSA cipher for block encryption of disk
files. A 16-bit RSA cipher means that our modulus will span 16
bits. [Again, in the context of RSA, an N-bit cipher means that the modulus is of
size N bits and NOT that the block size is N bits. This is contrary to not-so-uncommon
usage of the phrase “N-bit block cipher” meaning a cipher that encrypts N-bit blocks
at a time as a plaintext source is scanned for encryption.]
• With the modulus size set to 16 bits, we are faced with the im-
portant question of what to use for the size of bit blocks for con-
version into ciphertext as we scan a disk file. Since our message
integer M must be smaller than the modulus n, obviously our
block size cannot equal the modulus size. This requires that we
use a smaller block size, say 8 bits, and use some sort of a padding
scheme to fill up the rest of the 8 bits. As it turns out, padding
is an important part of RSA ciphers. In addition to the need for
padding as explained here, padding is also needed to make the
cipher more resistant to certain vulnerabilities that are described
in the standards document RFC 3447. The same document also
presents the scheme to be used for padding.
28
• In the rest of the discussion in this section, we will assume for our
toy example that our modulus will span 16 bits, but the block
size will be smaller than 16 bits, say, only 8 bits. We will further
assume that, as a disk file is scanned, each bit block is padded
with zeros to make it 16 bits wide. We will refer to this padded
bit block as our message integer M .
• So our first job is to find a modulus n whose size is 16 bits. Recall
that n must be a product of two primes p and q. Assuming
that we want these two primes to be roughly the same size, let’s
allocate 8 bits to p and 8 bits to q.
• So the issue now is how to find a prime suitable for our 8-bit
representation. Following the prescription given in Section 12.3.1,
we could fire up a random number generator, set its first two
bits and the last bit, and then test the resulting number for its
primality with the Miller-Rabin algorithm presented in Lecture
11. But we don’t need to go to all that trouble for our toy
example. Let’s use the simpler approach described below.
• Let’s assume that we have an as yet imaginary 8-bit word for p
whose first two and the last bit are set. And assume that the same
is true for q. So both p and q have the following bit patterns:
29
bits of p : 11−− −−− 1
bits of q : 11−− −−− 1
where ’−’ denotes the bit that has yet to be determined. As you
can verify quickly from the three bits that are set, such an 8-bit
integer will have a minimum decimal value of 193. [Here is a reason
for why you need to manually set the first two bits: Assume for a moment that you
set only the first bit. Now it is theoretically possible for the smallest values for p and q
to be not much greater than 27. So the product p× q could get to be as small as 214,
which obviously does not span the full 16 bit range desired for n. When you set the first
two bits, now the smallest values for p and q will be lower-bounded by 27 + 26. So the
product p×q will be lower-bounded by 214+2×213+212, which itself is lower-bounded
by 2×214 = 215, which corresponds to the full 16-bit span. With regard to the setting
of the last bit of p and q, that is to ensure that p and q will be odd.]
• So the question reduces to whether there exist two primes (hope-
fully different) whose decimal values exceed 193 but are less than
255. If you carry out a Google search with a string like “first
1000 primes,” you will discover that there exist many candidates
for such primes. Let’s select the following two
p = 197
q = 211
30
which gives us for the modulus n = 197× 211 = 41567. The bit
pattern for the chosen p, q, and modulus n are:
bits of p : 0Xc5 = 1100 0101
bits of q : 0Xd3 = 1101 0011
bits of n : 0Xa25f = 1010 0010 0101 1111
As you can see, for a 16-bit RSA cipher, we have a
modulus that requires 16 bits for its representation.
• Now let’s try to select appropriate values for e and d.
• For e we want an integer that is relatively prime to the totient
φ(n) = 196 × 210 = 41160. Such an e will also be relatively
prime to 196 and 210, the totients of p and q respectively. Since
it is preferable to select a small prime for e, we could try e = 3.
But that does not work since 3 is not relatively prime to 210. The
value e = 5 does not work for the same reason. Let’s try e = 17
because it is a small prime and because it has only two bits set.
• With e set to 17, we must now choose d as the multiplicative
inverse of e modulo 41160. Using the Bezout’s identity based
calculations described in Section 5.6 of Lecture 5, we write
31
gcd(17, 41160) |
= gcd(41160, 17) | residue 17 = 0 x 41160 + 1 x 17
= gcd(17, 3) | residue 3 = 1 x 41160 - 2421 x 17
= gcd(3,2) | residue 2 = -5 x 3 + 1 x 17
| = -5x(1 x 41160 - 2421 x 17) + 1 x 17
| = 12106 x 17 - 5 x 41160
= gcd(2,1) | residue 1 = 1x3 - 1 x 2
| = 1x(41160 - 2421x17)
| - 1x(12106x17 -5x41160)
| = 6 x 41160 - 14527 x 17
| = 6 x 41160 + 26633 x 17
where the last equality for the residue 1 uses the fact that the
additive inverse of 14527 modulo 41160 is 26633. [If you don’t like
working out the multiplicative inverse by hand as shown above, you can use the Python
script shown in Section 7.11 of Lecture 7 for doing the same. Another option would be
to use the multiplicative inverse() method of the BitVector class.]
• The Bezout’s identity shown above tells us that the multiplicativeinverse of 17 modulo 41160 is 26633. You can verify this fact by
showing 17× 26633 mod 41160 = 1 on your calculator.
• Our 16-bit block cipher based on RSA therefore has the following
numbers for n, e, and d:
n = 41567
e = 17
d = 26633
Of course, as you would expect, this block cipher would have no
security since it would take no time at all for an adversary to
factorize n into its components p and q.
32
12.5: MODULAR EXPONENTIATION FOR
ENCRYPTION AND DECRYPTION
• As mentioned already, the message integer M is raised to the
power e modulo n. That gives us the ciphertext integer C. De-
cryption consists of raising C to the power d modulo n.
• The exponentiation operation for encryption can be carried out
efficiently by simply choosing an appropriate e. (Note that the
only condition on e is that it be coprime to φ(n).) As mentioned
previously, typical choices for e are 3, 17, and 65537. All these
are prime and each has only two bits set.
• Modular exponentiation for decryption, meaning the calculation
of Cd mod n, is an entirely different matter since we are not
free to choose d. The value of d is determined completely by e
and n.
• Computation of Cd mod n can be speeded up by using the
Chinese Remainder Theorem (CRT) (see Section 11.7 of Lecture 11 for
CRT). Since the party doing the decryption knows the prime fac-
tors p and q of the modulus n, we can first carry out the easier
33
exponentiations:
Vp = Cd mod p
Vq = Cd mod q
• To apply CRT as explained in Section 11.7 of Lecture 11, we must
also calculate the quantities
Xp = q × (q−1 mod p)
Xq = p× (p−1 mod q)
Applying CRT, we get
Cd mod n = (VpXp + VqXq) mod n
• Further speedup can be obtained by using Fermat’s Little Theo-
rem (presented in Section 11.2 of Lecture 11) that says that if a
and p are coprimes then ap−1 = 1 mod p.
• To see how Fermat’s Little Theorem can be used to speed up
the calculation of Vp and Vq. Vp requires Cd mod p. Since p
34
is prime, obviously C and p will be coprimes. We can therefore
write
Vp = Cd mod p = Cu×(p−1) + v mod p = Cv mod p
for some u and v. Since v < d, it’ll be faster to compute
Cv mod p than Cd mod p.
35
12.5.1: An Algorithm for Modular Exponentiation
• After we have simplified the problem of modular exponentiation
considerably by using CRT and Fermat’s Little Theorem as dis-
cussed in the previous subsection, we are still left with having to
calculate:
AB mod n
for some integers A, B, and for some modulus n.
• What is interesting is that even for small values for A and B, the
value of AB can be enormous. For example, both A and B may
consist of only a couple of digits, as in 711, but the result could still
be a very large number. For example, 711 equals 1, 977, 326, 743,
a number with 10 decimal digits. Now just imagine what would
happen if, as would be the case in cryptography, A had, say, 256
binary digits (that is 77 decimal digits) and B was, say, 65537.
Even when B has only 2 digits (say, B = 17), when A has 77
decimal digits, AB will have 1304 decimal digits.
• The calculation of AB can be speeded up by realizing that if B
can be expressed as a sum of smaller parts, then the result is
36
a product of smaller exponentiations. We can use the following
binary representation for the exponent B:
B ≡ bkbk−1bk−2 . . . b0 (binary)
where we are saying that it takes k bits to represent the exponent,
each bit being represented by bi, with bk as the highest bit and
b0 as the lowest bit. In terms of these bits, we can write the
following equality for B:
B =∑
bi 6=02i
• Now the exponentiation AB may be expressed as
AB = A∑
bi 6=0 2i
=∏
bi 6=0A2i
We could say that this form of AB halves the difficulty of com-
puting AB because, assuming all the bits of B are set, the largest
value of 2i will be roughly half the largest value of B.
• We can achieve further simplification by bringing the rules of
modular arithmetic into the multiplications on the right:
AB mod n =
∏
bi 6=0
[
A2i mod n]
mod n
37
Note that as we go from one bit position to the next higher bit
position, we square the previously computed power of A.
• The A2i terms in the above product are of the following form
A20, A21, A22, A23, . . .
As opposed to calculating each term from scratch, we can calcu-
late each by squaring the previous value. We may express this
idea in the following manner:
A, A2previous, A2
previous, A2previous, . . .
• Now we can write an algorithm for exponentiation that scans the
binary representation of the exponent B from the lowest bit to
the highest bit:
result = 1
while ( B > 0 ) :
if ( B & 1 ) : # check the lowest bit of B
result = ( result * A ) mod n
B = B >> 1 # shift B by one bit to right
A = ( A * A ) mod n
return result
38
• To see the dramatic speedup you get with modular exponentia-
tion, try the following terminal session with Python
[ece404.12.d]$ => script
Script started on Mon 20 Feb 2012 10:23:32 PM EST
[ece404.12.d]$ => python
>>>
>>> print pow(7, 9633196, 9633197)
117649
>>>
>>>
>>>
>>> print (7 ** 9633196) % 9633197
117649
>>>
where the call to pow(7, 9633196, 9633197) calculates
79633197−1 mod 9633197 through Python’s implementation of the
modular exponentiation algorithm presented in this section. This
call will return instantaneously with the answer shown above.
On the other hand, the second call that carries out the same
calculation, but without resorting to modular exponentiation,
may take several minutes, depending on the hardware in your
machine. [You are encouraged to make similar comparisons with numbers that are even larger
than those shown here. If you wish, you can record your terminal-interactive Python session with the
command script as I did for the session presented above. First invoke script and then invoke
python as shown above. Your interactive work will be saved in a file called typescript. You can exit
the Python session by entering Ctrl-d and then exit the recording of your terminal session by entering
Ctrl-d again.]
39
• Whereas the RSA algorithm is made theoretically possible by the
idea that, in arithmetic modulo n, the exponents behave modulo
the totient of n when n is a product of two primes, the algorithm
is made practically possible by the fact that there exist fast and
memory-efficient algorithms for modular exponentiation.
40
12.6: THE SECURITY OF RSA
• A particular form of attack on RSA that has been a focus of
considerable attention is the mathematical attack.
• The mathematical attack consists of figuring out the prime factors
p and q of the modulus n. Obviously, knowing p and q, the
attacker will be able to figure out the exponent d for decryption.
• Another way of stating the same as above would be that the
attacker would try to figure out the totient φ(n) of the modulus n.
But as stated earlier, knowing φ(n) is equivalent to knowing the
factors p and q. If an attacker can somehow figure out φ(n), the
attacker will be able to set up the equation (p−1)(q−1) = φ(n),
that, along with the equation p× q = n, will allow the attacker
to determine the values for p and q.
• Because of their importance in public-key cryptography, a num-
ber that is a product of two (not necessarily distinct) primes is
known as a semiprime. Such numbers are also called biprimes,
pq-numbers, and 2-almost primes. Currently the largest
known semiprime is
41
(230,402,457 − 1)2
This number has over 18 million digits. This is the square of the
largest known prime number.
• Over the years, various mathematical techniques have been devel-
oped for solving the integer factorization problem involving
large numbers. A detailed presentation of integer factorization
is beyond the scope of this lecture. We will now briefly mention
some of the more prominent methods, the goal here being
merely to make the reader familiar with the existence
of the methods. For a full understanding of the mentioned
methods, the reader must look up other sources where the meth-
ods are discussed in much greater detail [Be aware that while the methods listed
below can factorize large numbers, for very large numbers of the sort used these days in RSA cryptography,
you have to custom design the algorithms for each attack. Customization generally consists of making various
conjectures about the modulo properties of the factors and using the conjectures to speed up the search for the
factors.]:
Trial Division: This is the oldest technique. Works quite well
for removing primes from large integers of up to 12 digits (that
is, numbers smaller then 1012). As the name implies, you sim-
ply divide the number to be factorized by successively larger
integers. A variation is to form a product m = p1p2p3 . . . prof r primes and to then compute gcd(n,m) for finding the
42
largest prime factor in n. Here is a product of all primes
p ≤ 97:
2305567963945518424753102147331756070
Fermat’s Factorization Method: Is based on the notion that
every odd number n that has two non-trivial factors can be
expressed as a difference of two squares, n = (x2 − y2). If
we can find such x and y, then the two factors of n are (x−y)
and (x+ y). Searching for these factors boils down to solving
x2 ≡ y2 (mod n). This is referred to as a congruence of
squares. That every odd n can be expressed as a difference
of two squares follows from the fact that if n = a× b, then
n = [(a + b)/2]2 − [(a − b)/2]2
Note that since n is assumed to be odd, both a and b are
odd, implying that a + b and a − b will both be even. In its
implementation, one tries various values of x hoping to find
one that yields a square for x2 − n. The search is begun with
with the integer x = ⌈√n⌉. Here is the pseudocode for thisapproach
x = ceil( sqrt( n ) ) # assume n is odd
y_squared = x ** 2 - n
while y_squared is not a square
x = x + 1
y_squared = x ** 2 - n # y_squared = y_squared + 2*x + 1
43
return x - sqrt( b_squared )
This method works fast if n has a factor close to its square-
root. In general, its complexity is O(n). Fermat’s method can
be speeded up by using trial division for candidate factors up
to√n.
Sieve Based Methods: Sieve is a process of successive cross-
ing out entries in a table of numbers according to a set of
rules so that only some remain as candidates for whatever one
is looking for. The oldest known sieve is the sieve of Er-
atosthenes for generating prime numbers. In order to find
all the prime integers up to a number, you first write down
the numbers successively (starting with the number 2) in an
array-like display. The sieve algorithm then starts by crossing
out all the numbers divisible by 2 (and adding 2 to the list of
primes). Next you cross out all the entries in the table that are
divisible by 3 and you add 3 to the list of primes, and so on.
Modern sieves that are used for fast factorization are known as
quadratic sieve, number field sieve, etc. The quadratic
sieve method is the fastest for integers under 110 decimal dig-
its and considerably simpler than the number field sieve. Like
the principle underlying Fermat’s factorization method, the
quadratic sieve method tries to establish congruences modulo
n. In Fermat’s method, we search for a single number x so
that x2 mod n is a square. But such x’s are difficult to find.
With quadratic sieve, we compute x2 mod n for many x’s and
44
then find a subset of these whose product is a square.
Pollard-ρ Method: It is based on the following observations:
– Say d is a factor of n. Obviously, the yet unknown
d satisfies d|n. Now assume that we have two randomly
chosen numbers a and b so that a ≡ b (mod d). Obviously,
for such a and b, a−b ≡ 0 (mod n), implying a−b = kd
for some k, further implying that dmust also be a divisor of
the difference a−b. That is, d|(a−b). Since, by assumption,
d|n, it must be the case that gcd(a−b, n) is a multiple of d.We can now set d to the answer returned by gcd, assuming
that this answer is greater than 1. Once we find such a
factor of n, we can divide n by the factor and repeat the
algorithm on the resulting smaller integer.
– This suggests the following approach to finding a factor of
n: (1) Randomly choose two numbers a, b ≤ √n; (2) Findgcd(a− b, n); (3) If this gcd is equal to 1, go back to step
1 until the gcd calculation yields a number d greater than
1. This d must be a factor of n. [A discerning reader might say
that since we know nothing about the factor d of n and since we are essentially shooting in
the dark when making guesses for a and b, why should we expect a performance any better
than making random guesses for the factors of n up to the square-root of n. That may well
be true in general, but the beauty of searching for the factors via the differences a − b is
45
that it generalizes to the main feature of the Pollard-ρ algorithm in which the sequence
of integers you choose for b grows twice as fast as the sequence of integers you
choose for a. It is this feature that makes for a much more efficient way to look for the
factors of n. This feature is implemented in lines (E10), (E11), and (E12) of the code shown
at the end of this section. As was demonstrated by Pollard, letting b grow twice as fast as a
in gcd(a− b, n) makes for fast detection of cycles, these being two different numbers a and b
that are congruent modulo some integer d < n.]
– In the code shown at the end of this section, the simple pro-
cedure laid out above is called pollard rho simple(); its
implementation is shown in lines (D1) through (D15) of the
code. We start the calculation by choosing random num-
bers for a and b, and computing gcd(a − b, n). Assuming
that this gcd equals 1, we now generate another candidate
for b in the loop in lines (D9) through (D14). For each
new candidate generated for b, its difference must be com-
puted from all the previously generated random numbers
and the gcd of the differences computed. In general, for the
kth random number selected for b, you have to carry out k
calculations of gcd.
– The above mentioned ever increasing number of gcd cal-
culations for each iteration of the algorithm is avoided by
what is the heart of the Pollard-ρ algorithm. The candidate
numbers are generated pseudorandomly using a function f
that maps a set to itself through the equivalence of the re-
46
mainders modulo n. Let’s express the sequence of numbers
generated through such a function by xi+1 = f(xi) mod n.
Again assuming the yet unknown factor d of n, sup-
pose we discover a pair of indices i and j, i < j, for
this sequence such that xi ≡ xj (mod d), then obviously
f(xi) ≡ f(xj) (mod d). This implies that each element of
the sequence after j will be congruent to each correspond-
ing element of the sequence after i modulo the unknown
d.
– So let’s say we can find two numbers in the sequence xi and
x2i that are congruent modulo the unknown factor d, then
by the logic already explained d|(xi − x2i). Since d|n, itmust be case that gcd(xi − x2i, n) must be a factor of n.
– The Pollard-ρ algorithm uses a function f() to generate
two sequence xi and yi, with the latter growing twice as
fast as the former — see lines (E10), (E11), and (E12) of
the code for an illustration of this idea. That is, at each
iteration, the first sequence corresponds to xi+1 ← f(xi)
and yi+1 ← f(f(yi)). This would cause each (xi, yi) pair
to be the same as (xi, x2i). If we are in the cycle part of the
sequence, and if xi ≡ x2i (mod d), then we must have a
d = gcd((xi − yi), n), d 6= 1 and we are done.
47
– The most commonly used function f(x) is the polynomial
f(x) = x2 + c mod n with the constant c not allowed
to take the values 0 and −2. The code shown in lines
(E4) through (E15) constitutes an implementation of this
polynomial.
– Some parts of the implementation of the overall integer fac-
torization algorithm shown below should already be famil-
iar to you. The calculation of gcd in lines in (B1) through
(B4) is from Section 5.4.5 of Lecture 5. The Miller-Rabin
based primality testing code in lines (C1) through (C22) is
from Section 11.5.5 of Lecture 11.
#!/usr/bin/env python
## Factorize.py
## Author: Avi Kak
## Date: February 26, 2011
## Modified: Febrary 25, 2012
import random
import sys
def gcd(a,b): #(B1)
while b: #(B2)
a, b = b, a%b #(B3)
return a #(B4)
def test_integer_for_prime(p): #(C1)
probes = [2,3,5,7,11,13,17] #(C2)
for a in probes: #(C3)
if a == p: return 1 #(C4)
if any([p % a == 0 for a in probes]): return 0 #(C5)
k, q = 0, p-1 #(C6)
while not q&1: #(C7)
q >>= 1 #(C8)
48
k += 1 #(C9)
for a in probes: #(C10)
a_raised_to_q = pow(a, q, p) #(C11)
if a_raised_to_q == 1 or a_raised_to_q == p-1: continue #(C12)